警务网上查询系统网络安全体系
摘要
为加强系统内共享和综合利用,解决信息共享困难,开发利用全系统信息资源,按照公安部部署,我省建立全省的网上数据查询系统。
我部门警务网上查询系统由全省及各市、州综合信息查询服务节点组成,是一个全省性的具有统一规范和分布处理能力的大型综合信息应用系统,是实现全省以至部及其他省市信息资源高度共享和综合利用的关键项目。
因此确保网上数据查询系统安全运行将十分重要,本文深入分析网上查询的业务流程,结合我省当前信息安全建设现状,详细分析了其需要改进的地方,依靠PKI/CA的技术、构造了面向我省网上查询系统的安全体系整体框架。
The society's information-oriented improvement also provides the police bureaus information-oriented development with opportunities and challenges. More and more hostile fortes use information technology .When police bureaus attack the criminals ,the sum of the involved information is increasing quickly ,under this kind of background, it is very important to carry on public security information-oriented construction. And constructing "E-Government" and promoting the electronics governmental affairs have become the current development direction of the government. The police bureaus is the principal part taking charge of protection work in our society, carrying national security missions. As an important department of the government, how to use information-based techniques to construct police bureaus e-government system, improving work efficiency and ability to provide quick and convenient service to the society and satisfying the demand of the society development to police bureaus, has become the problem facing by all police in our country.
With the quick development of computer network technology, Internet comes into every field of social life, especially comes into the police bureaus information systems. At present, network has already become an important infrastructure of every police bureaus. Nevertheless, with the continuous extension of network applications, attacks to networks are increasing as well. Isolation information system and the system on Internet is increasing severity. The proclaimed message inside or outside the local area network is easily wiretapped, tampered and forged. The integrality, confidentiality and usability of data cannot be ensuring effectively, which threaten the stability of the system directly. Attackers use network technology, illegally intrude computer system, steal information, tamper data, and bring heavy losses to the nation. So, for police bureaus, how to protect network and information against illegal access is a serious problem. It will affect the development of information. In the face of the increasing severity security problem, we need an effective security mechanism to ensure the information system running steadily on edge. To achieve that goal, the paper investigates the major problems of network security and the local area network requirement, surveys the policies and technologies that implement network security. The paper brings forth a security network access scheme, which applies various security mechanisms and technologies to improve the entire network security.
Efficient operation of information system must be based on information security, The security of information has already become the key of construction of information system. Information security is in demand increasingly. To apply theory of cryptology to solve information security effectively, a system have been designed to bind public key and entity info, that is PKI(Public Key,Infrastructure).Public Key,Infrastructure, a widely-used security technique, is made up of Certificate Authorities(CA)which issue certificates to securely bind each entity to its public key. PKI technology binds users' public key with users' other identification information (such as name, E-mail, ID card number etc) through the trustable third party organization CA that gives the solution to the key distribution and management. So it can develop and deploy authentication, integrity, confidentiality and non-repudiation services for Internet application. It uses non-symmetry cryptography to provide security service and lucidly accommodate the key and certificate management to the encryption and digital signature for all network applications. Through the digital certificate, the encryption and the signature to the transmission data can be used to guarantee the confidentiality, authentication, integrity and non-repudiation for the information transmission. this paper with the further research on the theory of PKI technology, criterion of X.509 and SSL etc, a CA system for our office based on PKI was proposed in this paper. The system is composed of trust model, structure and function design, certificate database design, and implements the core functions of a standard CA system including signing, issuing and revoking certificates. The security communication modular of the system is based on the SSL Protocol to enhance the security of system communications. Besides, the kernel functions of the system are packed into DLL library, including symmetrical encryption algorithms, digest algorithms, digital signature algorithms and certificate operations (such as certificate request, certificate building, certificate format conversion etc.) to provide interfaces for other applications.
The Network Security System of Police Online Inquiry System is an important part of INFORMATION SECURITY PROJECT of the Ministry of Police . As required by the Ministry of police, it is necessary for the province to establish the system in order to strengthen share and comprehensive application of the security information, alleviate difficulty in information sharing and develop the resource of the security information. PKI/CA, which is based largely on cryptographic theory and provides mainly the services of authentication and confidentiality and integrality and non-repudiation, turns into the very important secure platform of authentication and authorization in network application and guarantees the information security of the network activity to people .The article based PKI/CA advanced technology, being consisted of the information search service node of the whole province and various cities, is not only a large scale comprehensive information application system of the whole province with unified ,normative and distributing processing ability ,but also a key project for realizing information share and comprehensive exploitation within security organization of the whole province and among the Ministry , other provinces and cities.
Online Inquiry System Based on PKI Technology not only strictly follows technical standard concerned, having the characteristics of platform, model, distribution, layer and module, but also is proved to be technically correct and socially beneficial after practice. It has made contributions to strike crime and formalized the security.
我部门警务网上查询系统由全省及各市、州综合信息查询服务节点组成,是一个全省性的具有统一规范和分布处理能力的大型综合信息应用系统,是实现全省以至部及其他省市信息资源高度共享和综合利用的关键项目。
因此确保网上数据查询系统安全运行将十分重要,本文深入分析网上查询的业务流程,结合我省当前信息安全建设现状,详细分析了其需要改进的地方,依靠PKI/CA的技术、构造了面向我省网上查询系统的安全体系整体框架。
The society's information-oriented improvement also provides the police bureaus information-oriented development with opportunities and challenges. More and more hostile fortes use information technology .When police bureaus attack the criminals ,the sum of the involved information is increasing quickly ,under this kind of background, it is very important to carry on public security information-oriented construction. And constructing "E-Government" and promoting the electronics governmental affairs have become the current development direction of the government. The police bureaus is the principal part taking charge of protection work in our society, carrying national security missions. As an important department of the government, how to use information-based techniques to construct police bureaus e-government system, improving work efficiency and ability to provide quick and convenient service to the society and satisfying the demand of the society development to police bureaus, has become the problem facing by all police in our country.
With the quick development of computer network technology, Internet comes into every field of social life, especially comes into the police bureaus information systems. At present, network has already become an important infrastructure of every police bureaus. Nevertheless, with the continuous extension of network applications, attacks to networks are increasing as well. Isolation information system and the system on Internet is increasing severity. The proclaimed message inside or outside the local area network is easily wiretapped, tampered and forged. The integrality, confidentiality and usability of data cannot be ensuring effectively, which threaten the stability of the system directly. Attackers use network technology, illegally intrude computer system, steal information, tamper data, and bring heavy losses to the nation. So, for police bureaus, how to protect network and information against illegal access is a serious problem. It will affect the development of information. In the face of the increasing severity security problem, we need an effective security mechanism to ensure the information system running steadily on edge. To achieve that goal, the paper investigates the major problems of network security and the local area network requirement, surveys the policies and technologies that implement network security. The paper brings forth a security network access scheme, which applies various security mechanisms and technologies to improve the entire network security.
Efficient operation of information system must be based on information security, The security of information has already become the key of construction of information system. Information security is in demand increasingly. To apply theory of cryptology to solve information security effectively, a system have been designed to bind public key and entity info, that is PKI(Public Key,Infrastructure).Public Key,Infrastructure, a widely-used security technique, is made up of Certificate Authorities(CA)which issue certificates to securely bind each entity to its public key. PKI technology binds users' public key with users' other identification information (such as name, E-mail, ID card number etc) through the trustable third party organization CA that gives the solution to the key distribution and management. So it can develop and deploy authentication, integrity, confidentiality and non-repudiation services for Internet application. It uses non-symmetry cryptography to provide security service and lucidly accommodate the key and certificate management to the encryption and digital signature for all network applications. Through the digital certificate, the encryption and the signature to the transmission data can be used to guarantee the confidentiality, authentication, integrity and non-repudiation for the information transmission. this paper with the further research on the theory of PKI technology, criterion of X.509 and SSL etc, a CA system for our office based on PKI was proposed in this paper. The system is composed of trust model, structure and function design, certificate database design, and implements the core functions of a standard CA system including signing, issuing and revoking certificates. The security communication modular of the system is based on the SSL Protocol to enhance the security of system communications. Besides, the kernel functions of the system are packed into DLL library, including symmetrical encryption algorithms, digest algorithms, digital signature algorithms and certificate operations (such as certificate request, certificate building, certificate format conversion etc.) to provide interfaces for other applications.
The Network Security System of Police Online Inquiry System is an important part of INFORMATION SECURITY PROJECT of the Ministry of Police . As required by the Ministry of police, it is necessary for the province to establish the system in order to strengthen share and comprehensive application of the security information, alleviate difficulty in information sharing and develop the resource of the security information. PKI/CA, which is based largely on cryptographic theory and provides mainly the services of authentication and confidentiality and integrality and non-repudiation, turns into the very important secure platform of authentication and authorization in network application and guarantees the information security of the network activity to people .The article based PKI/CA advanced technology, being consisted of the information search service node of the whole province and various cities, is not only a large scale comprehensive information application system of the whole province with unified ,normative and distributing processing ability ,but also a key project for realizing information share and comprehensive exploitation within security organization of the whole province and among the Ministry , other provinces and cities.
Online Inquiry System Based on PKI Technology not only strictly follows technical standard concerned, having the characteristics of platform, model, distribution, layer and module, but also is proved to be technically correct and socially beneficial after practice. It has made contributions to strike crime and formalized the security.
引文
[01] XX 厅.全省警务网上信息杳询系统论证调研会领导讲话.2004. 7-5
[02] 关振胜.公钥基础设施 PKI 与认证机构 CA、电子工业出版社,2002
[03] 周宏仁.电子政务全球透视与我国电子政务的发展.教育信息化,2003.2:(2~4)
[04] 管立国.电子政务的发展策略及其系统构建:[硕士学位论文].长春.东北师范大学,2005
[05] 国家电子政务标准化总体组.电子政务标准化指南.国务院信息化工作办公室,2005:6 一 7
[06] 赵战生,左晓栋,孙锐.2002 年国际信息安全保障动态.网络安全技 术与应用.2004 年第 5 期
[07] 卢开澄.计算机密码学一计算机网络中的数据保密与安全[M].第二 版.清华大学出版社,1998
[08] C.Adams,S.Lloyd.公开密钥基础设施一概念、标准和实施冯登国等译.人民邮电出版社,2001.
[09] 谢冬青,冷健著.PKI 原理与技术[M].清华大学出版社.2004.
[10] 王惠斌.数字签名与电子签名法.河南司法警官职业学院学报,2005 , (03): 37 一 39
[11] 曹来成.PKI 安全的关键:CA 的私钥保护.兰洲理工大学,2005 , (12): 75- 77
[12] Chadwick D.Understanding X.500 一 The Directory International ThomsonComputer Press,2005(O5):89 一 102
[13] Housley,W.Ford,W.Plok,d.Solo.Internet X.509 Public Key Infratucture Certificate and CRL Profile.Internet Request for Comments,2001,(01):254
[14] Carlisle Adam Steve.公开密钥基础设施一概念.标准和实施.北京邮电出版社,2001,(36)
[15] Stuart Haber,W.Scott Stornetta.Secure Names for Bit-Strings.Proceedings of the 4th ACM Conference on Computer and Communications Secuity,1997,(07):28一 35
[16] 周恒.使用电子证书增强信息安全性.华南金融电脑,2001, (12): 70
[17] 张雪琳,马跃. PKI中CRL撤消延迟的研究.系统工程理论与实践,2004,(03): 91一94
[18] ISO/IEC 9594-81ITU-T Recommendation X.509.Information Technology Systems Interconnection-The Directory:Authentication Framework. ITU, 1997,(08):67 一 87
[19] JAIKTRISHHA Narendra M.Thumbhekodige.ORACLE J2EE 应用开发(,周悦芝译).北京清华大学出版社,2003. 56-58
[20] http://www.openssl.org 官方网站
[21] http://www.openssl.cn 中国官网
[02] 关振胜.公钥基础设施 PKI 与认证机构 CA、电子工业出版社,2002
[03] 周宏仁.电子政务全球透视与我国电子政务的发展.教育信息化,2003.2:(2~4)
[04] 管立国.电子政务的发展策略及其系统构建:[硕士学位论文].长春.东北师范大学,2005
[05] 国家电子政务标准化总体组.电子政务标准化指南.国务院信息化工作办公室,2005:6 一 7
[06] 赵战生,左晓栋,孙锐.2002 年国际信息安全保障动态.网络安全技 术与应用.2004 年第 5 期
[07] 卢开澄.计算机密码学一计算机网络中的数据保密与安全[M].第二 版.清华大学出版社,1998
[08] C.Adams,S.Lloyd.公开密钥基础设施一概念、标准和实施冯登国等译.人民邮电出版社,2001.
[09] 谢冬青,冷健著.PKI 原理与技术[M].清华大学出版社.2004.
[10] 王惠斌.数字签名与电子签名法.河南司法警官职业学院学报,2005 , (03): 37 一 39
[11] 曹来成.PKI 安全的关键:CA 的私钥保护.兰洲理工大学,2005 , (12): 75- 77
[12] Chadwick D.Understanding X.500 一 The Directory International ThomsonComputer Press,2005(O5):89 一 102
[13] Housley,W.Ford,W.Plok,d.Solo.Internet X.509 Public Key Infratucture Certificate and CRL Profile.Internet Request for Comments,2001,(01):254
[14] Carlisle Adam Steve.公开密钥基础设施一概念.标准和实施.北京邮电出版社,2001,(36)
[15] Stuart Haber,W.Scott Stornetta.Secure Names for Bit-Strings.Proceedings of the 4th ACM Conference on Computer and Communications Secuity,1997,(07):28一 35
[16] 周恒.使用电子证书增强信息安全性.华南金融电脑,2001, (12): 70
[17] 张雪琳,马跃. PKI中CRL撤消延迟的研究.系统工程理论与实践,2004,(03): 91一94
[18] ISO/IEC 9594-81ITU-T Recommendation X.509.Information Technology Systems Interconnection-The Directory:Authentication Framework. ITU, 1997,(08):67 一 87
[19] JAIKTRISHHA Narendra M.Thumbhekodige.ORACLE J2EE 应用开发(,周悦芝译).北京清华大学出版社,2003. 56-58
[20] http://www.openssl.org 官方网站
[21] http://www.openssl.cn 中国官网